This is a place for me to ruminate about Privacy. Since I work as Google's Global Privacy Counsel, I need to point out that these ruminations are mine, not Google's. Please don't attribute them to Google.

Tuesday, March 12, 2013

We Need a Better, Simpler Narrative of US Privacy Laws

Ask yourself why a European privacy regulator can propagate the preposterous view publicly that the US has "no effective privacy laws." And lots of people seem to believe that. And why does it matter?

On the global stage, Europe is convincing many countries around the world to implement privacy laws that follow the European model. The facts speak for themselves: in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws. Not a single country, anywhere, has followed the US-model.

Indeed, what is the US model? People in the privacy profession know that the US has a dense "patchwork" model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other "non-privacy" laws, like consumer protection laws, are regularly invoked in privacy matters. Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.

How on earth do you explain US privacy laws to an international audience? How do you explain the role of class action litigation to people in countries where it doesn't even exist? The US privacy law narrative is convoluted. That's a pity, since almost all of the global privacy professionals with whom I've discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy. (I didn't say "perfect", since laws never are, and I'm not grading them either.)

By contrast, Europe's privacy narrative is simple and appealing. Its laws are very general, aspirational, horizontal and concise. Critics could say they're also inevitably vague, as any high-level law would have to be. But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world. And they are enforced (at least, on paper) by a single, identifiable, specialist regulator.

Europe does a great job explaining (or marketing, if you prefer). The US has to figure out how to explain its privacy laws on the global stage. There's more at stake than just prestige. There's more at stake than just asking why Uruguay, to take a random recent example, looked to Spain, rather than the US, for inspiration as it wrote its recent privacy laws. What is at stake are important things: first, trust in US-based companies and trust in the US Government around the world. People will trust them less if they believe the story-line that they operate in a country with "no effective privacy laws". And second, hopes to include digital trade in President Obama's initiative for a grand new US-Europe Trade Pact. The lack of "adequate" US privacy laws is cited by Europeans as a reason why it is illegal to transfer personal data from Europe to the US, which is quite obviously, at least in part, a free trade issue. Privacy will prove a serious roadblock to any such future trade pact, as long as some people in Europe can argue that the US has no effective privacy laws.

Privacy is not alone among complicated subjects in need of a simple narrative. Visit a cathedral, if you need inspiration.

8 comments:

Anonymous
said...

Dear Peter :

All trade agreements have to respect each country's relevant internal law and not circumvent or undermine it.

US lacks horizontal privacy legislation +thus enforceable general privacy rules. this is a major handicap and the simple explanation why other countries follow the EU model instead. It brings legal certainty to companies and individuals can effectively exercise their rights.

So indeed: it is simple. It makes sense. It is good for business. And it's good for people.

But not all hope is lost : Apparently there seems to be bipartisan support for passing horizontal privacy legislation in the US. At last!

"How on earth do you explain US privacy laws to an international audience?"

I don't think they need explaining, the speaker is right that we have no "effective" privacy laws (the key word, "effective") because of government deference to corporations and law enforcement. The "dense patchwork" is a hodge podge of outdated, analog era statutes which in many if not most cases have been rendered meaningless by technological advances. (E.g., the 1986 ECPA or the third-party doctrine enshrined by SCOTUS in the '70s.)

IMO it's completely false to say the difference is in how the laws are "marketed." The differences are substantive and the fellow commenting on US laws IMO gave a more or less accurate assessment.

US citizens have no legal safeguards against the myriad of commercial data collection and profiling techniques employed by Google, Facebook and many others. There has been a tremendous increase in how our data is collected and used--including merging offline and online information; tracking across all platforms (web, mobile); selling cookie-based behavioural profiles of users to marketers in milliseconds (Doubleclick Ad exchange and others). The story in the US is a policy process dominated by the online ad lobby. Citizens around the world need the EU to enact a privacy law which places human rights ahead of data monetization interests.

I am a US citizen, long-time Internet user, and moderately sophisticated about privacy online.

Realistically, how do I effectively protect my privacy online? How do I know that I have done so? How do I thoughtfully and objectively protect myself against future risks, as I can attempt to do in other spheres of life through methods such as insurance? How do I thoughtfully and effectively protect individuals who the law understands as not fully responsible, such as people who are younger than 18? How do I even *know* what is being done with data about me, much less exercise any control over that?

If you can't answer questions like this in a way that a reasonable human being outside the technology industry can understand and act upon, then your problem goes well beyond branding.

don't you think the EU has done its own extensive analysis of US privacy laws (or lack thereof)? this is not just some anti-US marketing tactic, and it's not just a matter of the EU saying we're "inadequate" - it's because we ARE inadequate when compared against the protections afforded EU citizens. we're supposed to trust that marketing companies can self-regulate and come up with industry "rules", yet time and time again they nonchalantly, and without remorse, continue to sell, use, process, lose our personal data. but then they say that enacting a more comprehensive law would "stifle innovation" - maybe the innovation needs to be stifled so that we can deal with the privacy issues that continue to plague every technological break through.

Dear Peter,What a cool article; in 1999 Royal Bank of Canada did a study monetizing privacy and finding it might be a competitive differentiator. Your piece says America's lame privacy laws may now be working against us...We have disjoint, fractured and simply weak privacy in the US because it is profitable to keep things this way. In the 1997-99 time, when the 'opt-in/opt-out' debate about online privacy was at its height, we in the opt-in school of thinking lost. The 'rule' in America today on data and privacy seems largely to be that if you can't find 1) a law governing it, or 2) a contract covering it, then you can freely copy and monetize that data and privacy is irrelevant.So, how can we improve the US Privacy Narrative? Perhaps by changing our laws and enacting some coherent and broad protections for the commercialization of sensitive personal information.If company X holds my DNA, HIPPA says I have rights and they have duties.But if Axciom holds my entire rent and mortgage payment history but never uses it for credit (thereby escaping being tagged as a 'credit bureau' under law), you have ZERO rights to that data.As a father, tech lawyer and early internet CPO, I personally know that there is gold in them there human behavioral hills....I just don't like or want my life and that of my daughter's treated as raw material for someone's business with no respect for her or me as individuals or for our society.And thanks for your great blog; wish I'd found it sooner.Jamie Powers